en
Contact Us

PCI DSS

*Image is for illustrative purposes only

PCI DSS compliance

The PCI DSS (Payment Card Industry Data Security Standard) establishes strict requirements for protecting payment card data. The key principle is to limit access to sensitive information as much as possible. The optimal solution for a business is to completely eliminate direct access to card data by delegating this task to certified payment providers.

Main prohibitions and data handling rules

Strictly prohibited:

  • requesting payment card numbers from customers;
  • receiving card numbers through insecure communication channels;
  • transmitting card numbers by any means outside the protected environment.

Action plan in typical situations:

Phone call: if a customer tries to dictate a card number due to a payment issue:

  • politely interrupt the customer;
  • explain that, according to security rules, such data cannot be accepted over the phone;
  • offer a secure way to solve the issue (for example, repeat the payment through a secure form on the website).

Electronic communication channels (email, messengers, social networks): if a customer sent a card number:

  • delete the message immediately;
  • notify the customer about the security policy violation;
  • recommend secure communication methods to resolve the issue;
  • ask them not to send such data through open channels in the future.

What data must be protected

Protected data includes:

1. Cardholder personal data:

  • PAN (card number);
  • cardholder name;
  • card expiration date.

2. Sensitive authentication data (SAD):

  • verification codes: CVV2, CVC2, CVP2, CVP2 equivalent;
  • PIN code;
  • magnetic stripe data;
  • other data used to verify the authenticity of the card.

Data storage rules

Storage requirements differ depending on the data type:

1. Sensitive authentication data (SAD) — it is strictly prohibited to store it in any form after the transaction authorization is completed. This includes temporary copies, logs, and backups.

2. PAN (card number) — storage is allowed, but only in protected form. Permitted formats:

  • encrypted data (using certified encryption algorithms);
  • hashed values (irreversible transformation);
  • masked data (only the BIN and last 4 digits may be displayed; the remaining characters must be hidden — for example,1234****5678).

3. Cardholder name and card expiration date may be stored in clear text, since these data are not considered critically sensitive under the PCI DSS standard.

PCI DSS compliance with Tranza

Tranza is a certified service provider with the highest level of PCI DSS compliance. This means the service:

  • is authorized to store payment card data in accordance with security requirements;
  • can process more than 6 million payments annually;
  • undergoes annual certification audits to confirm compliance with the standard.

Advantages of working with Tranza:

  • all payment tools of the service are designed with PCI DSS requirements in mind;
  • when using standard solutions, you automatically meet security requirements — no additional protective measures are required;
  • the platform takes on the main burden of data protection, reducing risks for your business.

Special conditions: accepting payments via Checkout technology

To use Checkout technology, you must additionally confirm compliance with PCI DSS requirements:

  • Completion of the Self-Assessment Questionnaire (SAQ) — a document in which the company confirms compliance with the key requirements of the standard.
  • Quarterly vulnerability scanning — regular website checks for weak spots using a specialized scanner approved by PCI SSC (the PCI Security Standards Council).
  • Change monitoring — when making any changes to the payment infrastructure, compliance must be reassessed.

By following these rules and using reliable payment solutions such as Tranza, you will ensure a high level of data protection and compliance with international security standards.